In the error path, the cloned state is dropped without removing its
hardware offload, leaking the offloaded SA entry.
Fixes: a9d155ea9b44 ("xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration")
Reported-by: Sashiko <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
---
net/xfrm/xfrm_user.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 29cbdc836cfc..87ef198993db 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3500,6 +3500,8 @@ static int xfrm_do_migrate_state(struct sk_buff *skb,
struct nlmsghdr *nlh,
xfrm_state_put(x);
return err;
out_xc:
+ if (m.xuo)
+ xfrm_dev_state_delete(xc);
xc->km.state = XFRM_STATE_DEAD;
xfrm_state_put(xc);
xfrm_state_put(x);
--
2.47.3